The document argues that many proclaimed "sophisticated attacks" are actually the result of unsophisticated security practices. It defines what constitutes a truly sophisticated attack and establishes "Irari Rules" for determining whether an attack was sophisticated or took advantage of basic security failures. Many high-profile attacks exploited known vulnerabilities like poor passwords, lack of multifactor authentication, or unpatched malware rather than innovative hacking methods. Focusing on sophistication distracts from addressing underlying security issues that could prevent attacks.

1. The Sophisticated Attack Myth:
Hiding Unsophisticated Security
Programs
Applying the Irari Rules
IraWinkler, CISSP
ira@securementem.com
+1-443-603-0200
AraceliTreu Gomes
ari@securementem.com
+1-443-603-0200

2. Preamble
The Media loves a good story, and we give them
what they want
– Spoon-feed it to them
– Want to know who is responsible for attacks
– Confuse the “who” with the “how”
– We love a bad drama
– We love a good conspiracy!
2

3. Why This Matters to Us
• It destroys our focus
• It changes the story
• It asks questions that shouldn’t be asked
• It deflects blame
– Bad security vs unstoppable enemy
• “If the top organizations can be hit, there is no
way anyone will expect us to stop the attacks”
3

4. The Question That Should Be Asked
Was it really a “sophisticated” attack, or
just bad security?
4

5. The Proclaimed “Sophisticated
Attacks”
• Sony
• Target
• CENTCOM
• You name it, it’s sophisticated according to
someone
5

6. It Can Also Help You
• It gets people talking about security
• Use the narrative to help your cause
– If management is concerned about the hype, use
it
• Highlighting the common vulnerabilities
exploited during attacks can get you funding
to mitigate similar vulnerabilities
• Stating how your security would have stopped
the attacks would give you kudos
6

7. Looking at Target
• Went in through phishing message to vendor
• Worked through vendor network to
compromise business network
• Identified targeted systems
• Set up exfiltration servers
• Exfiltrated data
• Went undetected
7

8. Sophisticated?
• Attackers were disciplined
• Attackers were persistent
• Preventable? HELL NO!
– Network monitoring tools ignored
– Phishing messages expected
– Improper network segmentation
– Lack of whitelisting on POSs
– No monitoring
– Etc.
8

9. Examining Sony
• Attackers were North Korean
– Get over it
• Likely spearphishing attack
• Used credentials in established malware
• Accessed critical systems with credentials
• Destroyed key systems
• Downloaded lots of data
9

10. Sophisticated?
• Attackers were fairly disciplined
• Attackers were very good at getting in the
network
• Preventable: HELL NO!
– Malware should have been detected
– No multifactor authentication
– Passwords were static
– Etc.
10

11. CENTCOM
• The world was talking about how advanced
ISIS was
• The media questioned the security of US
Government systems and classified data
• Politicians were horrified and wanted answers
• It was their Twitter feed
• It was their YouTube feed
11

12. Sophisticated?
• It does take some work to figure out who has
access to the accounts
• But again, it was likely a spearphishing attack,
or more likely an easily guessed password
• From there it was just a free-for-all
12

13. IRS Breach
• 104,000 records compromised through Get Transcript
function
– 200,000 attempted breaches
• Compromised authentication scheme
• Required “information on the taxpayer had”
– Hmmmm….
• Criminal downloaded records, filed false tax returns
– Stole $50 Million
• IRS Commissioner said it couldn’t be stopped citing
– Smart criminals with lots of advanced computers, hiring
smart people
– OMG
13

14. Sophisticated?
• All the criminals needed was credit reports
• IRS used commercial system that asked
questions with answers available through
credit reports
• Went undetected for 200,000 relatively
intensive attempts
14

15. Preventing the Target Attack
• Management who knew not to ignore
network monitoring tools
• Warnings to vendors
• Proper segmentation of business networks
• Configuration monitoring
• Whitelisting
• Better monitoring
Should any of this not have been in place?
15

16. Preventing the Sony Attack
• Multifactor authentication for admin accounts
• Changing admin passwords on a periodic basis
• Network monitoring for unusual activity
• Anti-malware tools in place
• DLP for critical files…like movies
16

17. Preventing the CENTCOM Attack
• Better passwords
• Multifactor authentication
17

18. Preventing the IRS Attack
• Frankly authentication might not be feasible
to strengthen
• Better detection
• IP analysis
• Rapid increase in requests
• Etc
• Focus on misuse detection
18

19. The Common Threads
• Lack of multifactor authentication
• Poor or lack of network monitoring
• Poor user awareness
• Poorly configured access controls
• Lack of or outdated anti-malware
• No DLP
19

20. A REAL “SOPHISTICATED” ATTACK
20

21. The Equation Group
• Supposedly NSA TAO
• Exploited multiple 0-Day
vulnerabilities
• Installed pre-delivery
• Undetectable, even if you
know to look for it
• Required reverse
engineering of hard
drives
• Targeted specific users and
systems
• Hundreds of Command & Control
servers
• Multiplatform malware
• Designed to bridge air gaps
• Went undetected for 14 years

22. WHAT CONSTITUTES A
“SOPHISTICATED” ATTACK?

23. You Know It When You See It
• It’s like pornography
• It is complicated
• It can’t be stopped with security countermeasures that
“Should” be in place
• Methods are what make attacks sophisticated
• It is not based upon the damage or results
• It is not based upon the “persistence” of the attacker
– APT attacks are persistent, but not necessarily
sophisticated
• It is easier to say what is NOT “Sophisticated”

24. THE IRARI RULES:
IT IS NOT A SOPHISTICATED ATTACK IF…
24

25. …The Attack Began With A
Phishing Message
• There are limited advanced techniques against people
• Stupidity/Ignorance doesn’t take a lot to exploit
• The “Stupidity” is often on the part of the security
team for assuming Common Knowledge (common
sense?) among users
• The default cause is that awareness programs are
insufficient
• For a phishing message to be successful, it has to go
through many layers of security countermeasures, not
just a user
– Refer to Ira’s other presentation on the phishing kill chain

26. …The Malware Used Should Have Been
Detected
• Too many attacks, such as Sony, used known
malware
• The failure to detect known malware is a sign
of a poor security program
• There really isn’t much more to discuss
• Sadly, this needs to be said
26

27. …Passwords Were Likely Guessed
• Easily guessed passwords are way too
common
• Usually results from account access being
shared or poor security policies
• Again, this is just indicative of a poor security
program
27

28. …User Awareness Exploited With
Poor Awareness Program In Place
• CBT is not an awareness program, it is training
• Phishing simulations are not awareness
programs, they are usually teaching people to
detect simulated phishes
28

29. …Known Vulnerabilities Were
Exploited
• If a known vulnerability was exploited, the attack
could have been prevented, and likely should
have been prevented…
– It is another indicator of a poor security program in
place
• If a string of known vulnerabilities were
exploited, the attack clearly could have been
prevented…
– Even if a patch was not available, other mitigations
can be put in place, such as turning off unnecessary
services and ports
29

30. …Multifactor Authentication Was
Not Used On Critical Systems
• Critical systems, and especially admin
accounts, should have this basic protection in
place
• Stops password reuse, bad passwords,
password sniffing, etc.
Props to JPMorgan Chase for acknowledging a recent hack resulted
from not having multifactor authentication in place
30

31. …Passwords Were Hardcoded Into
Malware
• Just like the Sony Attack
• It demonstrates that even if there is no
multifactor authentication, they don’t
regularly change passwords, which
demonstrates bad security programs
31

32. …Detection Mechanisms Were
Ignored Or Not In Place
• There should be IDS/IPS in place
• There should be DLP in place on critical systems
• There should be network monitoring in place
• You should see movies go out of your
organization
• You should see 100,000,000 credit cards go out of
your network
• If you’re not looking for that, shame on you
• Most important, you should not ignore the
warnings when they occur
32

33. …Poor Network Segmentation Was
In Place
• Vendor networks should not connect to POS
• Business networks should not be connected to
SCADA systems
• There should be a conscious network design in
place that incorporates risk, not just cost
33

34. …User Accounts Had Excessive
Privileges
• Low level account compromises should not
lead to critical data
• It demonstrates poor administrator
procedures
• Indicative of a poor security program in place
34

35. The Irari Rules of Sophisticated
Attacks
• Must not actualize because of a Phishing message
• Malware must have been undetectable
• Passwords were not easily guessed
• User awareness exploited with poor awareness program in place
• Known vulnerabilities cannot have been exploited
• Multifactor authentication in use on critical systems
• Passwords were not hardcoded into the systems
• Detection capability was in place and not ignored
• Proper network segmentation in place
• User accounts had minimum privileges
35

36. Conclusions
• They hype does impact our ability to be
effective
• Make use of the hype
• “How” dictates sophistication; “how” first,
“who” later
• Unsophisticated attack vectors tell you where
countermeasures are required
• If it happens to someone else, it is likely
happening to your organizations, so get
countermeasures in place quickly
36

37. For More Information
• ira@securementem.com
• +1-443-603-0200
• @irawinkler
• www.securementem.com
• www.linkedin.com/in/irawinkler
• Facebook.com/irawinkler
37
Ira Winkler, CISSP Araceli Treu Gomes,
Dozens of Certs
• ari@killchain.net
• @sleepdeficit_
• www.linkedin.com/in/sleep
deficit
• Facebook.com/sleepdeficit
• www.irarireport.com
• @irarireport.com